On the new 2003 R2 server
I added it as a member server to the domain and then I ran a Dcpromo on it and all seems to run fine.
On the new dc the Sysvol and the Netlogon folders were automatically created and shared and I can see the login scripts are in them.

I am getting an issue on the new 2003 Dc in the event log every 5 minutes.
Event ID: 1058
“Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Athlone,DC=local. The file must be present at the location <\\Athlone.local\sysvol\Athlone.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.”

Looking from both servers at the Sysvol\sysvol\athlone.local\policies folder I do not see a folder called 31B2F340-016D-11D2-945F-00C04FB984F9, I do see another folder called A0CA9A6E-1944-46E7-4124178B1C9F.
When I go onto active directory on either DC I can access the GPO I have on the users OU but when I try to access the Domain Controllers – Default Domain Controllers Policy to edit it I get an error “Failed to open the group policy object. You may not have the appropiate rights,the system cannot find the path specified.

Also when I try to access the Default Domain Policy I get the same errors.

I ran DCDIAG on the 2K DC and it comes back all fine.

Looking online for fixes I have come across:
1) Using DCGPOFIX for Server 2003 to recreate the Default Domain Controllers Policy
2) Dcgpofix for server 2000 to recreate the Default Domain Controllers Policy
I have read there can be issues after the 2 above of where “The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
OR
3) http://support.microsoft.com/kb/315457 , this instructs me on “How to rebuild the SYSVOL tree and its content in a domain”
I have not moved over the 5 FSMO roles to the new DC as yet as I intend to retire the 2000 DC as its an old server.

So I may have 2 other options
a) Move over the 5 roles onto the new DC and setup dhcp/dns and then try the DCGPOFIX
b) Demote the new DC and then run the DCGPOFIX on the 2K Server.

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

This is default domain policy (31B2F340-016D-11D2-945F-00C04FB984F9) & it looks to be corrupted either by antivirus scan or virus infection of by modifying.
Copy the same from healthy dc to problem dc.
Run gpotool.exe on the problem server & see it reports error.
If you don't have any healthy server containging default policy,you can run dcgpofix but as its said by blunttony its a last option.
You should always exclude sysvol & ntds from scanning & never modify default domain & domain controller policy,if you want create new policy & link it.
You can also use Group policy best practice analyser.http://blogs.technet.com/askds/archive/2008/04/11/group-policy-best-practice-analyzer.aspx

You should have run the GPprep as part of the domain upgrade. You will need to do this in any case and can be run from any server that has the adprep files on it. The gpotool will not help if you have lost the gpo.

You can recreate teh default policies using teh dcgpofix tool, but it will overwrite the files. You will also have to recreate any setting you had within them.

adprep /domainprep /gpprep is run on infrastructure master & it adds the inheritable access control entries (ACEs) on GPOs in the Sysvol shared resource. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSoP) functionality for site-based policy.

Ok I will run adprep /domainprep /gpprep on the 2K DC first as this machine is the infrastructure master.

Am I right in saying that the dcgpofix /ignoreschema has to be ran on the 2003 DC and not the 2K 2000 DC as this tool only works on 2003 server family?
So on the 2003 DC from a command prompt I go to C:\Windows\Repair folder
and just run dcgpofix /ignoreschema and accept when asked:
" You are about to restore Default Domain policy and Default Domain
Controller policy for the following domain

MyDomain.local

Do you want to continue: ? Y"

Will this have any effect or issues on the 2K DC as it still has all the 5 roles running on it and is currently the only global catalog server in the domain? Also will it effect the 2003 Exchange member server ?

Thanks guy's - I will run
1) adprep /domainprep /gpprep on the 2K DC
2) dcgpofix /ignoreschema on the 2003 DC

It will be Monday when I run these as I am not back at the site until then.

0

MidCompCompany OwnerAuthor Commented: 2010-03-28

I ran the above today, All seem's fine with the policys now but I ran into an issue on the exchnage 2003 server: After the gpo decurity settings were reset:
Only Administrators had the Manage auditing and security log right under Computer Configuration > Security Settings > Local Policy > User Rights Assignment > Manage Auditing and Security Log. Which resulted in the Exchange Server not functioning (STORE.EXE does not have audit security privilege on the Domain Controller. This Domain Controller will not be used by DSAccess).
Here is the fix:
1.Open the Default Domain Controllers Security Settings snap-in on the domain controller specified in the event description.

2.In the console tree, under Security Settings, expand Local Policies, and then click User Rights Assignments.

3.In the results pane, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed.

Make sure that the Exchange server is still a member of the Exchange Domain Servers group. Also, make sure that the Exchange Domain Servers group is a member of Exchange Enterprise Servers group.

I could not see any other issues - I will be onsite tomorrow and once everything is ok there, I will update and award points.

The reason for default exchange group were not ther is because when you ran dcgpofix,it reset the default polices & the exchange groups are added when you run exchange setup.

So,its normal..

0

MidCompCompany OwnerAuthor Commented: 2010-03-29

The exchanger server is not sending/receiving mail since:

LDAP Bind was unsuccessful on directory HODBAYFS.Athlone.local for distinguished name ''. Directory returned error:[0x51] Server Down. DC=Athlone,DC=local
Could not open LDAP session to directory 'HODBAYFS.Athlone.local' using local service credentials. Cannot access Address List configuration information. Make sure the server 'HODBAYFS.Athlone.local' is running. DC=Athlone,DC=local
Permanent failure reported by policy group provider for 'CN=System Policies,CN=HBH,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Athlone,DC=local':'MAD.EXE', error=80040103. Taking provider offline.
The Win32 API call 'DsGetDCNameW' returned error code [0x54b] The specified domain either does not exist or could not be contacted. The service could not be initialized. Make sure that the operating system was installed properly.
Process MAD.EXE (PID=2416). All Global Catalog Servers in use are not responding:
HODBAYFS.Athlone.local
The MAPI call 'OpenMsgStore' failed with the following error:
The information store could not be opened.
The logon to the Microsoft Exchange Server computer failed.
MAPI 1.0
ID no: 80040111-0286-00000000
Where HODBAYFS is the Win2K DC

0

MidCompCompany OwnerAuthor Commented: 2010-03-29

Did a reboot of the Exchange System Attentant service and it now seems ok, I will monitor but mail is going in/out.

0

MidCompCompany OwnerAuthor Commented: 2010-03-30

All working now - The exchange threw me off but I got it resolved easily enough.